System and method for information delivery based on at least one self-declared user attribute with audit records

ABSTRACT

Various embodiments of the present invention are directed to providing a user the ability to self-declare one or more permission attributes about the user that form the basis for the filtering (e.g., the dynamic filtering) of current and/or future content. In this manner, access to the content may thus be governed by the self-declared permission attributes (in one example (which example is intended to be illustrative and not restrictive), the present invention may operate within a secure, tracked content delivery infrastructure).

RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application Ser.No. 60/667,888, filed Apr. 1, 2005, which is incorporated herein byreference in its entirety.

FIELD OF THE INVENTION

Various embodiments of the present invention are directed to providing auser the ability to self-declare one or more permission attributes aboutthe user that form the basis for the filtering (e.g., the dynamicfiltering) of current and/or future content. In this manner, access tothe content may thus be governed by the self-declared permissionattributes (in one example (which example is intended to be illustrativeand not restrictive), the present invention may operate within a secure,tracked content delivery infrastructure).

For the purposes of describing and claiming the present invention theterm “self-declared” is intended to refer to an indication or selectionassociated with a given entity that is made by the given entity itself.

Further, for the purposes of describing and claiming the presentinvention the term “value” (e.g., as used in “classification value” or“permission attribute value”) is intended to refer to a numericindicator (e.g., a distinct number, a range of numbers) or analphanumeric indicator (e.g., a text label such as “private”, “public”,“yes”, “no”).

BACKGROUND OF THE INVENTION

Security systems typically provide a way of filtering information basedon criteria that are defined by an administrator. While such a typicalsecurity system may prevent a user from gaining access to protectedsystem content if the user is not explicitly permissioned to do so,various embodiments of the present invention provide the ability toreveal certain content only to users with certain attributes, even if,for example, the system administrator is unaware of the user's identityor affiliation and the user is unaware of the nature of the content.

The filtering of the present invention may thus dynamically allow thesame content to be accessed or not accessed by a particular user, basedon self-declared permission attribute(s), in each situation. Forexample, the ability to self-declare the permission attribute(s) mayhelp reduce the administrative overhead associated with granting orwithdrawing permissions (e.g., depending on the business process) andenhance compliance with laws and policies regulating the users.

Of note, a security system working properly typically prevents access toinformation such that a user should only gain access to information thathe or she should not have only in the event of mistakes by the systemadministrator. Unauthorized access otherwise should not occur while thesystem is operational.

In this regard, introducing the ability of a user to self-declarepermission attribute(s) may increase the risk of abuse or violation ofpolicies. Various embodiments of the present invention therefore providethe ability to track access to information. This audit information canbe reviewed, for example, in the form of a report or sophisticatedsearch criteria and can return a list of possible violations ofregulations (e.g., a compliance officer can use the findings toinvestigate possible violations).

SUMMARY OF THE INVENTION

One embodiment of the present invention relates to a computerimplemented method of controlling access to at least one document,comprising: receiving for storage from a first user at least onedocument; receiving from the first user at least one classificationassociated with the stored document, wherein the classification has avalue selected from at least a first classification value and a secondclassification value; receiving from a second user at least onepermission attribute associated with the second user, wherein thepermission attribute associated with the second user is self-declaredand wherein the permission attribute has a value selected from at leasta first permission attribute value and a second permission attributevalue; and permitting the second user to access the stored document ifthe classification value of the stored document matches the permissionattribute value declared by the second user.

One example business reason for utilizing the present invention may stemfrom concerns within the syndicated loan market. In such a syndicatedloan market, loans are marketed to investors (including, withoutlimitation, banks, debt funds, hedge funds). Many of the investors areinstitutional investors that invest in both the public markets (e.g.,bonds, equity) and in the private loan market. Since disclosure relatedto certain loans often includes material non-public information (i.e.,“private” information such as financial projections), theseinstitutional investors have the potential to be conflicted with regardto insider trading regulations (e.g., regulations promulgated by theSEC). As such, users within these firms may require the ability toindicate their status on a particular loan based on: a) whether they areor may trade in the stocks/bonds of that borrowing entity (e.g., on the“public” side); and/or b) have procedure to prevent trading securitiesof the borrower or have walls/controls that allow them to trade insecurities of the borrower while also investing in the loan market(e.g., on the “private” side). Based on their position for any givenborrower, they should only see appropriate disclosure materials. Evenaccidental exposure to “private” information for a “public” investor canbe problematic (syndicating agents are typically not aware of eachinvestor's position for any given borrower and therefore typically haveno clear way to permission content to them).

Similarly, in another example (which example is intended to beillustrative and not restrictive), classifications may be assigned so asto not cause parties involved in pre-merger due diligence or formationof joint ventures to violate antitrust regulations. Users such asprofessional advisors, executive management or directors could begranted broader access to counterparty information than users fromwithin operating units (e.g., sales, regional managers, etc.), so thatpricing and other information can be filtered, without knowing inadvance the name, affiliation or security level of all users that couldbe invited to access content on the system for purposes of thetransaction.

Similarly, in yet another example (which example is intended to beillustrative and not restrictive), classifications may be assigned so asto preserve attorney-client privilege with respect to content. Onlyusers that identify themselves in a manner consistent with thepreservation of privilege (e.g. attorneys rendering advice or respondingto requests for legal advice and persons within client organizationsauthorized to request and receive legal advice) would be granted accessto the content associated with such classifications.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A shows a web browser screenshot of the uploading andclassification of a document according to an embodiment of the presentinvention;

FIG. 1B shows a web browser screenshot of self-declaring a permissionattribute according to an embodiment of the present invention;

FIG. 1C shows a web browser screenshot of hyperlinks to certaininformation according to an embodiment of the present invention;

FIG. 1D shows a web browser screenshot of hyperlinks to certaininformation according to an embodiment of the present invention;

FIG. 1E shows a web browser screenshot related to changing aself-declared permission attribute according to an embodiment of thepresent invention;

FIG. 1F shows a web browser screenshot related to changing aself-declared permission attribute according to an embodiment of thepresent invention;

FIG. 2 shows a web browser screenshot of a report related to variousself-declared permission attributes according to an embodiment of thepresent invention;

FIG. 3 shows a screenshot of an alert relating to certain storedinformation according to an embodiment of the present invention;

FIGS. 4-9 show block diagrams related to databases and databasestructures according to various embodiments of the present invention;and

FIG. 10 shows a block diagram of a computer infrastructure according toan embodiment of the present invention.

Among those benefits and improvements that have been disclosed, otherobjects and advantages of this invention will become apparent from thefollowing description taken in conjunction with the accompanyingfigures. The figures constitute a part of this specification and includeillustrative embodiments of the present invention and illustrate variousobjects and features thereof.

DETAILED DESCRIPTION OF THE INVENTION

Detailed embodiments of the present invention are disclosed herein;however, it is to be understood that the disclosed embodiments aremerely illustrative of the invention that may be embodied in variousforms. In addition, each of the examples given in connection with thevarious embodiments of the invention is intended to be illustrative, andnot restrictive. Further, the figures are not necessarily to scale, somefeatures may be exaggerated to show details of particular components.Therefore, specific structural and functional details disclosed hereinare not to be interpreted as limiting, but merely as a representativebasis for teaching one skilled in the art to variously employ thepresent invention.

Referring now to FIGS. 1A-1F, the classification of and controlledaccess to certain information according to an embodiment of the presentinvention is shown.

More particularly, FIG. 1A shows a web browser screenshot of theuploading and classification of a document according to an embodiment ofthe present invention. As seen in this Fig., a user (e.g., anadministrative agent or a syndicating agent) indicates a targetaudience. In this example relating to potential investors, the choicesfor the classification values are “Public” and “Private”. Further, inthis example the default classification value is “Private” (of course,the default classification value could be something other, such as“Public”). Of note, the user uploading the information is notresponsible for permissions related to people who may try to access theinformation, only to the classification of the information.

Of course, after content is uploaded to the enterprise informationsystem, the uploader, an administrator or a content manager may changethe visibility setting for the content (defined by the classificationvalue). Thus, in this example, the visibility setting may be changedfrom “Public” to “Private” or visa versa.

Referring now to FIG. 1B, it is seen that the user who may try to accessthe uploaded information (in this example an investor) self-declares hisor her own permission attribute (having a value of either pubic orprivate in this example). As seen in this Fig, in this example theinvestor may be forced to make a selection before proceeding. In onespecific example (which example is intended to be illustrative and notrestrictive), the self-declaration can be made when the user enters anypart of the system for accessing content relating to a subject company Xand the self-declared permission attribute may remain associated withthe user during this and any subsequent sessions within this portion ofthe system (or until such time as the user's access rights to suchportion are terminated). In another specific example (which example isintended to be illustrative and not restrictive), the user couldself-declare the permission attribute the first time he or she enters aportion of the system containing specific content (e.g., related tocompany X) and have the same self-declared permission attribute controlaccess to content in other and additional portions of the systemcontaining different content (e.g., related to company Y).

Further, as seen in FIGS. 1C and 1D, information in the system may befiltered (that is, access controlled) based upon the self-declaredpermission attribute values of each user. That is, FIG. 1C shows alisting (e.g., in the form of hyperlinks) of information accessible byusers who have self-declared the “Private” permission attribute value(this information may comprise information which had been categorized as“Private” as well as information which had been categorized as“Public”). Similarly, FIG. 1D shows a listing (e.g., in the form ofhyperlinks) of information accessible by users who have self-declaredthe “Public” permission attribute value (this information may compriseinformation which had been categorized as “Public” (e.g., informationwhich may be viewed by anybody generally having access to the system ora portion thereof) and may exclude information which had beencategorized as “Private”).

Of course, users may be given the opportunity to change theself-declared permission attributes. That is, the initiallyself-declared permission attribute(s) could applied to all visits to thesystem or portions thereof until the user explicitly changes the user'sattribute(s) within the user profile section of the enterpriseinformation system or elsewhere (e.g., through a user interface). Inthis regard, FIG. 1E shows a web browser screenshot related to suchchanging of a self-declared permission attribute value and FIG. 1F showsa web browser screenshot related to confirmation of the change.

Referring now to FIG. 2, this Fig. shows a web browser screenshot of areport related to various self-declared permission attributes accordingto an embodiment of the present invention. In this regard, the presentinvention may track access to content with associated classificationsand store the access details in an audit record (a compete audit trailof what information was disclosed/accessed (e.g., relative to each giveninvestor), when the information was disclosed/accessed and how theinformation was classified at the time of being disclosed/accessed maybe provided).

More particularly, in one example (which example is intended to beillustrative and not restrictive), an audit entry may comprise theuser's name and ID, date and time of the access, information related tothe content and other data. An additional audit entry may made each andevery time a user accesses any content in the system (anywhere in thesystem or in one or more specific portions of the system). Also recordedmay be any changes to a user's self-declared permission attributes(s).

All audit records related to the content access, the contentclassification and/or the user's self-declared permission attribute(s)may be made available to authorized users and administrators throughreports. The audit record may be used to provide a compliance officer ofa company or regulatory entities with the ability to track complianceand detect violations of the regulations or company policies and takecorrective action.

In another example (which example is intended to be illustrative and notrestrictive), auditing policies can be embodied as follows: 1) in adefinition in a user interface and stored in database tables andinterpreted (or compiled) during runtime; 2) in a definition inconfiguration fields that are interpreted by business logic; and/or 3)in business logic that is incorporated into an existing system.

Referring now to FIG. 3, this Fig. shows a screenshot of an alertrelating to certain stored information according to an embodiment of thepresent invention. More particularly, as seen in this Fig. acommunication (e.g., via email or another mechanism) may be sent to oneor more users indicating a change in content (e.g., the uploading of anew document to the system, the editing of an existing document, etc.).

In one example (which example is intended to be illustrative and notrestrictive), an alert related to content classified as “public” will goto appropriate users who have self-declared permission attributes of“public” or “private”.

In another example (which example is intended to be illustrative and notrestrictive), an alert related to content classified as “private” willgo to appropriate users who have self-declared permission attributes of“public” or “private” (wherein “public” users are responsible foractually accessing the content or not).

In another example (which example is intended to be illustrative and notrestrictive), an alert related to content classified as “private” willgo to appropriate users who have self-declared a permission attribute ofonly “private” (wherein self-declared “public” users are not notified bythe alert).

As described above, one embodiment of the present invention enablesadministrators and content managers to associate classifications andallowable classification values with the content of an enterpriseinformation system. These classifications may already be included in theenterprise information system or may be specifically designed by itssystem administrator to represent classifications of the content. Theclassifications are typically not part of the content but may describeand represent the user characteristics, security clearance levels and/ormetadata associated with access to the content.

In one example (which example is intended to be illustrative and notrestrictive), the present invention may provide a user of an enterpriseinformation system with the ability to dynamically select an existing orcreate a new information filter for current and/or future contentmanaged by the enterprise information system.

In another example (which example is intended to be illustrative and notrestrictive), a user may be required to select an existing or create anew permission attribute when he or she accesses the system the firsttime or after new classifications/permission attributes have been added.This may be done as soon as the user passes appropriate user credentialsto the enterprise information system but before the user gains access tothe functions of the enterprise information system (see, e.g., FIG. 1B).After the user creates or selects one or more permission attributes(that is, having desired values associated therewith), the system startsto release and suppress content accordingly. Of course, the fact thatthe user self-declares his or her permission attributes may comprise adifferentiation from security systems in which an administrator selectsa security level by user or by group and does not allow a user or memberof such group to declare the presence of attributes associated withdifferent security levels.

In another example (which example is intended to be illustrative and notrestrictive), permission attribute(s) may be selected that are known tothe user, notwithstanding that the user may not know or anticipate thenature, purpose or substance of the content on which such permissionattributes(s) will act as a filter.

In another example (which example is intended to be illustrative and notrestrictive), filtering may act on any single attribute or combinationof multiple attributes, such that a plurality of users with the samepermission attribute(s) may not have access to the same content, to theextent access is filtered by other attribute(s) or combinations ofattribute(s).

In another example (which example is intended to be illustrative and notrestrictive), the present invention may classify information not onlybased upon content but upon a location of a document within the system,a publication source, a comment, a reply, and/or association with otherusers (among other possibilities).

In another example (which example is intended to be illustrative and notrestrictive), the visibility of certain information (e.g., representedby hyperlinks to stored information) may be implemented through variouscolumns in database tables.

In another example (which example is intended to be illustrative and notrestrictive), two (or more) aliases or user names per user could bedefined. One alias could apply automatically one or more attributes forpurposes of filtering access to content; the other aliases could applyto other attribute(s) for filtering access to content.

In another example (which example is intended to be illustrative and notrestrictive), the system or system administrator can turn on or off eachuser's ability to self-declare permission attribute(s).

In another example (which example is intended to be illustrative and notrestrictive), a limited or essentially unlimited number ofclassifications/classification values may be defined and linked tocontent, independent of modifications to the core system for storingand/or distributing content. Depending on the implementation strategy,the extensions can be made while the system is operating or before thesystem is restarted (of course, any desired number of self-declaredpermission attributes/permission attribute values may also be utilized).

For a limited number of classifications (e.g. 1 to 10), the system mayadd additional columns to the content tables in the database to be usedonly when an additional classification information is added. Thebusiness logic could manage the classifications and could expand thequeries as new classifications are added. Under this approach the queryoverhead may be minimized and the overall system performance may not besignificantly impacted.

For an essentially unlimited number of classifications to be supported,the classifications could be placed in separate database tables andlinked with a 1-n relationship to the content tables. Filtering could beaccomplished using either an additional query per access to content or atable joined between the table that contains the content and the tablethat contains the classifications and their allowable values.

The allowable values per classification may be defined in multiple waysincluding, but not limited to, the following approaches:

-   -   1. A user interface that allows a user to define the allowable        values per classification and stores them as metadata in an        allowable value table.    -   2. A configuration file that is loaded at system start or when a        change is registered by the server.    -   3. Business logic that can be plugged into the existing system        after the release date.

The business logic and user interface may be constructed so that theclassifications are considered when content is retrieved and/or updated.

The system programmer, system administrator, and/or user could createfilters depending on the required flexibility in multiple waysincluding, but not limited to, the following approaches:

-   -   1. A user interface allows system administrators and/or users to        define filters based on the logical combination of        classifications and allowable values. The expressions may be        stored in database tables. The data may be interpreted (or        compiled and executed) during runtime.        -   a. In one example (which example is intended to be            illustrative and not restrictive), expressions such as            “attribute_(—)1 IN {val1, val2} AND NOT attribute_(—)2 IN            {val3}” could be defined by the user and/or system            administrator to define a filter that filters out all            content that has the values “val1” and “val2” in its            classification “attribute 1” and does not have the value            “val3” in the classification “attribute 2”.    -   2. The filters could be defined by system programmers and/or        system administrators in a configuration file and interpreted        after the expression is loaded into the system. The expression        can be the same or similar to the expression in the bullet (a)        above.    -   3. The system programmer could develop filters as business logic        that are incorporated into the existing system. The plug-in may        be loaded when the system is registering the new plug-ins and        makes the filters available to the user when the functionality        is desired to be used.

Referring now to FIGS. 4-9 block diagrams related to databases anddatabase structures according to various embodiments of the presentinvention are shown.

More particularly, as seen in the example of FIG. 4, all Content hasassociated therewith a flag that indicates if Content is public orprivate information. Publication and Comment are subtypes of Content andtherefore inherit that flag. Further, a participant is realized in thedatabase and in the Java implementation as a relationship between theworkspace and the user tables (objects in java). Therefore, theparticipant references the user in a particular workspace. Moreover, theworkspace contains an attribute “publicPrivateEnabled” that indicates ifthe public-private feature is enabled for the specific workspace.Further, the participant has an attribute called “publicPrivateSelected”that indicates if the particular user has self-declared the value“public” or “private” for the associated workspace.

Referring now to FIG. 5, in this example the Null Filter does notperform any filtering. The idea here is the filter is created to filterall returned Content items based on the publicPrivate flag. So, if theuser only wants to see public information, the filter will filter outeach returned content item that has a private flag. If the user wants toview private and public information, the filter allows all content topass (Null filter).

Referring now to the example of FIG. 6, essentially same mechanisms mayexist here as before (e.g., FIG. 5). However, in this example the filteris created as a filter criteria for the query that is issued to thedatabase or search engine. This implies that that the filter criteria isincorporated in the defined content query (e.g. in a simple SQL querythe filter criteria would be included in the WHERE clause).

Referring now to FIG. 7, this example is a generalized version of thepublic/private feature. Content or subtypes of Content have specificclassification attributes that can be used for filtering. The Workspacemaintains in associated tables (ActiveClassification) theclassifications that are enabled in a particular workspace. The activeclassifications can be retrieved calling the methodgetActiveClassification( ). The participant refers to a list of selectedFilters in the SelectedFilter table. The filters can be accessed throughthe method getSelectedFilters( ).

Referring now to FIG. 8, this example is similar to the private/publiccase. However, here the selected filters that are active in theworkspace are selected by the participant in a given workspace. Theassumption is that the filter is stored and retrieved by the system(this can be done by a multitude of approaches such as objectserialization or Object-relationship mapping).

Referring now to FIG. 9, this example is essentially the same as before(e.g., FIG. 8) but in this scenario the search filters are embedded inthe content query.

Referring now to FIG. 10, a block diagram of a computer infrastructureaccording to an embodiment of the present invention is shown. Moreparticularly, as seen in this FIG. 10, Website Server 100 (which mayhave associated therewith one or more Databases 102) operativelycommunicates (e.g., via the Internet) with User 1 Computer 104, User 2Computer 106 and User 3 Computer 108. Of note, each of User 1 Computer104, User 2 Computer 106 and User 3 Computer 108 may have associatedtherewith appropriate software (e.g., a web browser). Of further note,each of User 1, User 2 and User 3 may be any entity described herein(e.g., a person uploading a document, a person viewing a document, aperson editing a document, a person downloading a document).

Finally, reference will now be made to a number of examples directed topermission attributes and permission attribute values (of course, theseexamples are intended to be illustrative, and not restrictive).

More particularly, in one example (as discussed above) a permissionattribute may refer to a user's public/private status relative tocertain information. Associated permission attribute values may be, forexample, “private” and “public”. In another example, associatedpermission attribute values may be “yes” and “no” (indicating a privatestatus or a public status). In another example, associated permissionattribute values may be “1” and “0” (indicating a private status or apublic status).

In another example, a permission attribute may refer to a user's countryof residence. Associated permission attribute values may be, forexample, “USA” and “Other”. In another example, associated permissionattribute values may be “yes” and “no” (indicating a USA residencestatus or another residence status). In another example, associatedpermission attribute values may be “1” and “0” (indicating a USAresidence status or another residence status).

In another example, a permission attribute may refer to a user'ssecurity level. Associated permission attribute values may be, forexample, “High” and “Low”. In another example, associated permissionattribute values may be “yes” and “no” (indicating a high security levelor a low security level). In another example, associated permissionattribute values may be “1” and “0” (indicating a high security level ora low security level). In another example, associated permissionattribute values may be in a numeric range (indicating a security levelwithin a range).

In another example, a permission attribute may refer to a user's age.Associated permission attribute values may be, for example, “at least 18years old” and “below 18 years old”. In another example, associatedpermission attribute values may be “yes” and “no” (indicating at least18 years old or below 18 years old). In another example, associatedpermission attribute values may be “1” and “0 (indicating at least 18years old or below 18 years old). In another example, associatedpermission attribute values may be a user's age.

Of course, any number of permission attributes may be combined incontrolling access to information. For example (which example isintended to be illustrative, and not restrictive), a first user who is a“private” user and is a “USA resident” may be granted access to a firstset of information; a second user who is a “public” user and is a “USAresident” may be granted access to a second set of information; a thirduser who is a “private” user and is “not a USA resident” may be grantedaccess to a third set of information; and a fourth user who is a“public” user and is “not a USA resident” may be granted access to afourth set of information (in this example, the first through fourthsets of information may be distinct from one another or there may beoverlap (partial or total) between information in one or more of thesets of information).

While a number of embodiments of the present invention have beendescribed, it is understood that these embodiments are illustrativeonly, and not restrictive, and that many modifications may becomeapparent to those of ordinary skill in the art. For example, animplementation of the present invention may separate the filter logicfrom the logic related to the security system (of course, the securitysystem may be extended to enforce also the filter criteria). Further,the content filter may be designed and implemented to facilitatecompliance with federal and/or state regulations and/or with corporatepolicies regarding access to information (e.g., access to “private”information). Further still, under various embodiments of the presentinvention certain users (e.g., syndicating agent, administrative agent,sales desk) do not need to be responsible for knowing and identifyingwhat information is private. Rather, an issuer may be responsible forthis (e.g., by classifying uploaded documents appropriately). Likewise,under various embodiments of the present invention certain users (e.g.,syndicating agent, administrative agent, sales desk) do not need to beresponsible for knowing and identifying a given investor's “status”(e.g., private or public) relative to a given issuer. Rather, eachinvestor may be responsible for this (e.g., by self-declaring one ormore permission attributes). Moreover, under various embodiments of thepresent invention certain users (e.g., loan investors) may be provided amechanism for identifying “private” information in order to minimize thepotential for unintentional/inappropriate exposure (the presentinvention may provide for this to be handled in the market by aconsistent industry approach). Further still, the present invention maybe used to apply other classifications and filters that are built inessentially the same way as the “visibility” classification, e.g., byadding additional columns to content tables and extending business logicand database queries to reflect their meaning to the business process(under this implementation strategy the system performance may beoptimized since the system can perform very efficient filtering at thedatabase layer). Further still, the self-declared permission attributesof the present invention may be applied to all content managed by anenterprise information system or to a subset of the content managed byan enterprise information system. (e.g., on a client by client basis oron a deal by deal basis). Further still, access to specific content maybe filtered by hiding certain content (e.g., providing a given user alist of hyperlinks to content which may be accessed by that user, basedupon the content classification and the user's self-declared permissionattribute(s), and not including in the list of hyperlinks any excludedcontent) or by prohibiting access to certain content (e.g., providing agiven user a list of hyperlinks to content which may or may not beaccessed by that user, based upon the content classification and theuser's self-declared permission attribute(s), and prohibiting assess toexcluded content if the user clicks an excluded hyperlink). Furtherstill, the various steps may be performed in any desired order, one ormore steps may be deleted and/or one or more steps may be added.

1-42. (canceled)
 43. A method for tracking compliance to a company policy, the method comprising: providing a computer database in association with a computer server for storing a plurality of computer data content items, wherein each of the plurality of computer data content items is assigned a corresponding classification attribute that indicates a target audience by a first user through a first user computer in communication with the computer server via a network, and wherein at least a first classification attribute categorizes at least a first one of the plurality of computer data content items as belonging to a category that another user is restricted from viewing; providing, by the first user of the first user computer, permission for a second user through a second user computer to request access to the plurality of computer data content items; receiving, at the computer server, a request for access to the first one of the plurality of computer data content items from the second user through the second user computer via the network, wherein the request for access comprises a permission attribute that identifies at least one category of data content items that the second user is not restricted from viewing, wherein the permission attribute is self-declared by the second user and restricts the second user's access to the first one of the plurality of computer data content items if the permission attribute self-declared by the second user does not match the first classification attribute assigned by the first user; granting access, by the computer server, to the second user to the first one of the plurality of computer data content items if the first classification attribute assigned by the first user matches the permission attribute self-declared by the second user; storing at least one detail of access to the first one of the plurality of computer data content items in an audit record, wherein the at least one detail comprises at least one of: an identification of the computer data content item, a time of access, the self-declared permission attribute at the time of access, the first classification attribute at the time of access, and an identification of the second user; and providing the audit record to an authorized user as a report for tracking compliance to the company policy.
 44. The method of claim 43, wherein at least one of the first classification attribute and the permission attribute is associated with a company name related to the content of the first one of the plurality of computer data content items.
 45. The method of claim 43, wherein at least one of the first classification attribute and the permission attribute is associated with a named individual related to the content of the first one of the plurality of computer data content items.
 46. The method of claim 43, wherein at least one of the first classification attribute and the permission attribute is at least one of public and private.
 47. The method of claim 43, wherein the permission attribute is used to filter the plurality of computer data content items within the computer database in order to determine additional ones of the plurality of computer data content items to which the second user is granted access.
 48. The method of claim 43, wherein the permission attribute of the second user is declared at the time of the requested access.
 49. The method of claim 43, wherein the permission attribute of the second user has been previously declared and stored in association with the computer database.
 50. The method of claim 43, wherein the computer database is a secure computer data storage facility.
 51. The method of claim 43, wherein the first one of the plurality of computer data content items is a computer-based document.
 52. The method of claim 43, wherein each corresponding classification attribute is stored in the computer database.
 53. The method of claim 43, wherein the assignment of each classification attribute is made in metadata associated with a corresponding one of the plurality of computer data content items.
 54. The method of claim 43, wherein the first classification attribute further indicates at least one of a location of a document, a publication source, a comment, a reply, and an association with other users.
 55. A method for tracking compliance to a company policy, the method comprising: providing a computer database in association with a computer server for storing a plurality of computer data content items, wherein each of the plurality of computer data content items is assigned a corresponding classification attribute that indicates a target audience by a first user through a first user computer in communication with the computer server via a network, and wherein at least a first classification attribute categorizes at least a first one of the plurality of computer data content items as belonging to a category that another user is restricted from viewing; providing, by the first user of the first user computer, permission for a second user through a second user computer to request access to the plurality of computer data content items; receiving, at the computer server, a request for access to the first one of the plurality of computer data content items from the second user through the second user computer via the network, wherein the request for access comprises a permission attribute that identifies at least one category of data content items that a second user is restricted from viewing, wherein the permission attribute is self-declared by the second user and restricts the second user's access to the first one of the plurality of computer data content items if the permission attribute self-declared by the second user matches the classification attribute assigned by the first user; granting access, by the computer server, to the second user to the first one of the plurality of computer data content items if the classification attribute assigned by the first user does not match the permission attribute self-declared by the second user; storing at least one detail of access to the first one of the plurality of computer data content items in an audit record, wherein the at least one detail comprises at least one of: an identification of the computer data content item, a time of access, the self-declared permission attribute at the time of access, the classification attribute at the time of access, and an identification of the second user; and providing the audit record to an authorized user as a report for tracking compliance to the company policy.
 56. The method of claim 55, wherein at least one of the first classification attribute and the permission attribute is associated with at least one of a company name and an individual name related to the content of the first one of the plurality of computer data content items.
 57. The method of claim 55, wherein the permission attribute is used to filter the plurality of computer data content items within the computer database in order to determine additional ones of the plurality of computer data content items to which the second user is granted access.
 58. The method of claim 55, wherein the assignment of the classification attribute is made in metadata associated with the first one of the plurality of computer data content items.
 59. A method for tracking compliance to a company policy, the method comprising: providing a computer database in association with a computer server for storing a plurality of computer data content items, wherein each of the plurality of computer data content items is assigned a corresponding classification attribute that indicates a target audience by a first user through a first user computer in communication with the computer server via a network, and wherein at least a first classification attribute categorizes at least a first one of the plurality of computer data content items as belonging to a category that another user is restricted from viewing; providing, by the first user of the first user computer, permission for a second user through a second user computer to request access to the plurality of computer data content items; receiving, at the computer server, a request for access to the first one of the plurality of computer data content items from the second user through the second user computer via the network, wherein the request for access comprises a permission attribute that identifies at least one category of data content items that a second user is not restricted from viewing, wherein the permission attribute is self-declared by the second user and restricts the second user's access to the first one of the plurality of computer data content items if the permission attribute self-declared by the second user does not match the classification attribute assigned by the first user; providing a hyperlink to the first one of the plurality of computer data content items by the server-based content access management facility if the first classification attribute assigned by the first user matches the permission attribute self-declared by the second user; and storing at least one detail of access to the first one of the plurality of computer data content items in an audit record, wherein the at least one detail comprises at least one of: an identification of the computer data content item, a time of access, the self-declared permission attribute at the time of access, the classification attribute at the time of access, and an identification of the second user; and providing the audit record to an authorized user as a report for tracking compliance to the company policy.
 60. The method of claim 59, wherein at least one of the first classification attribute and the permission attribute is associated with at least one of a company name and an individual name related to the content of the first one of the plurality of computer data content items.
 61. The method of claim 59, wherein the permission attribute is used to filter the plurality of computer data content items within the computer database in order to determine additional ones of the plurality of computer data content items to which the second user is granted access.
 62. The method of claim 59, wherein the assignment of each classification attribute is made in metadata associated with a corresponding one of each of the plurality of computer data content items.
 63. A method for tracking compliance to a policy, the method comprising: providing a computer database in association with a computer server for storing a plurality of computer data content items, wherein each of the plurality of computer data content items is assigned a corresponding classification attribute that indicates a target audience by a first user through a first user computer in communication with the computer server via a network, and wherein at least a first classification attribute categorizes at least a first one of the plurality of computer data content items as belonging to a category that another user is conflicted from viewing; providing, by the first user of the first user computer, permission for a second user through a second user computer to request access to the plurality of computer data content items; receiving, at the computer server, a request for access to the first one of the plurality of computer data content items from the second user through the second user computer via the network, wherein the request for access comprises a permission attribute that identifies at least one category of data content items that a second user is not conflicted from viewing, wherein the permission attribute is self-declared by the second user and restricts the second user's access to the first one of the plurality of computer data content items if the permission attribute self-declared by the second user does not match the first classification attribute assigned by the first user, and wherein the permission attribute reflects a policy associated with the second user; granting access, by the computer server, to the second user to the first one of the plurality of computer data content items if the first classification attribute assigned by the first user matches the permission attribute self-declared by the second user; storing at least one detail of access to the first one of the plurality of computer data content items in an audit record, wherein the at least one detail comprises at least one of: an identification of the computer data content item, a time of access, the self-declared permission attribute at the time of access, the first classification attribute at the time of access, and an identification of the second user; and providing the audit record to an authorized user as a report for tracking compliance to the policy. 